For Reasons of State : Part 1

A post on why I strangely find myself supporting the government on privacy intrusion

This is the first of my two part blogpost’s on the proposed ban on blackberry services in India. These series discusses the demand for establishing a blackberry server in India for the interception of communications. I argue that this is an indicia of a gradual increase in national security regulation since the Mumbai terror attacks. This post also seeks to examine the privacy concerns and whether the actions and the seemingly inflexible demands of the Indian government are justified. The first blog post does not discuss the blackberry ban specifically but introduces the reader to the causes as well as the gradual trend towards the heightened security climate in India, with regards to telecommunication regulations. It also broadly introduces the legal limits placed on the right of personal privacy. The second part will discuss the technological structure of the blackberry device, the device specific concerns and the developments on this controversy which is developing daily.

For all the unsavory things Henry Kissinger has said to Nixon about Indians and Indira Gandhi in the past, his 1994 book, “Diplomacy” has its highs of eloquence and levels of reason. He uses concepts such as real politic and raison d’ etat to explore international relations of countries through the ages and posits his realist analysis on them. The recent controversy of a, “blackberry ban” brings to focus the concept of raison d’ etat. The concept evolved in 17th century France which can be roughly translated to, “for reasons of state” and in Kissinger’s words, it asserts, “that the well-being of the state justified whatever means were employed to further it; national interest supplanted the medieval notion of a universal morality”.

I cannot agree with this completely, for a crude application of this principle, would reduce many a country to a totalitarian regime (remember the perpetual state of war maintained by Oceania in 1984). However, at the same time there is much sense in the “national interest” argument. What makes the concept more relevant to the present discussion is the increased use of technology by terrorists. Recent terrorist attacks in India have revealed an increased dependence by terrorists on emails, mobile and satellite phones to plan, coordinate and execute terrorist attacks.

Parallel to this there is also a growing sense of privacy in India. With higher disposable income and ownership of more material possessions there is growing sense of “my property” from our traditional views of “our property”. There is also a growing penetration of broadband and blogs which highlight these issues increasingly. Whatever be the sources, it is undeniable that modern middle class Indians have a sense of personal privacy. In this background the blackberry issue symbolizes more than just a mere “security issue”, it represents the tension between the competing interests of the state and the individual. First lets examine what has been the trigger of this controversy.

Apprehension and actual harm

Security concerns over blackberry devices were first aired in the corridors of power in 2008. In April I even wrote a short post on the wrangling between the government and the makers of blackberry devices due to the inability of security agencies to intercept some types of traffic data on the device. This is because of the triple DES level encryption employed by blackberry devices. I suggested a key escrow as a way out. My suggestion was more in the domain of a legal solution to any privacy concerns which could be there for Blackberry users. In retrospect it would seem, (if we go by blackberry’s description of its technology) technically impossible (discussion on the technological architecture in part 2).

Then the Mumbai Terror Attacks happened. These were one of the most horrific terror attacks on Indian soil. What differentiated these attacks from previous ones was the level of coordination and damage wrought by 10 terrorists and their handlers. There were news reports that these attacks were planned, coordinated and executed by a reliance on consumer technologies. A post by security expert, Noah Shachtman who writes the popular, “Danger Room” column at wired.com stated that,

As they approached Mumbai by boat, the terrorists “steered the vessel using GPS equipment,” according to the Daily Mail. A satellite phone was later found aboard. Once the coordinated attacks began, the terrorists were on their cell phones constantly. They used BlackBerries “to monitor international reaction to the atrocities, and to check on the police response via the internet,” the Courier Mail reports. The gunmen were able to trawl the internet for information after cable television feeds to the two luxury hotels and office block were cut by the authorities. The men looked beyond the instant updates of the Indian media to find worldwide reaction to the events in Mumbai, and to keep abreast of the movements of the soldiers sent to stop them. Outside of Leopold’s Cafe, “one of the gunmen seemed to be talking on a mobile phone even as he used his other hand to fire off rounds,” an eyewitness told The New York Times.

The attacks changed our lax attitude towards national security. I have commented before how the attacks were termed “India’s 9/11”. The comparison was not totally misplaced. After the attacks both countries discovered their appalling lack of clear command and control structures, information gathering and sharing. Something needed to be done. Our Lok Sabha responded like the US Senate did, rushing through enactments to “strengthen” national security. For reasons of state, new laws were created, old ones were amended, the ones which remained were enforced.

Security Regulatory Overhaul

This legal upheaval was most visible with regards to telecommunications and internet regulations. The Information Technology Act, 2000 was finally amended and the amended act was notified in late 2009. Along with the amendments came regulations on interception of online communications. I have written on these topics at length in my article balancing online privacy in India which can be accessed at the following link.

Alongwith these amendments there also came regulations on authentication of the identity of the person availing the telecommunication or the internet services. First came regulations on the secure use of WiFi access points. These were issued by the Department of Telecommunications (DoT), on February 23, 2009. The regulations applied to all ISPs serving leased line subscribers, home users, and WiFi hotspots in public places. The objective of the regulation was to prevent misuse of WiFi Internet access and to be able to track the perpetrator in case of abuse. This made it necessary for any internet access provider to enforce a centralized authentication using LoginID and a password for each user. After this, on September 3, 2009 came the regulations on the authenticity of IMEI numbers. The IMEI number which is unique to each cellular handset is paired with a network on activation. This IMEI number is also matched against each handset in an international database. When combined with a local register maintained by the telecom company containing the details of its subscribers, the cellphone was irretrievably linked to a person.

More recently there were regulations made on the sourcing of telecom equipment. These regulations were made due concerns that the equipment which was usually sourced from abroad could have embedded backdoors which could be used for counter intelligence by foreign countries. These regulations established a approval based process where a security clearance would have to be obtained by a telecommunications service provider. Here a pro-forma with details of the name, source and country of the manufacture of the equipment would have to be submitted to the DoT for approval before it could be sourced. A New York Times article examined this issue from the perspective of telecommunication companies which were unhappy with the regulations citing that it would cause delays as well as increase costs (as Chinese telecommunication equipment constitutes the bulk of the sourcing due to the low costs and it would be the most natural suspect class hit by delays in approvals and even rejections). Another story also highlighted a, “memo posted on its Web site on March 18, the Telecommunications Department clarified its security clearance rules, stating that the “operation and maintenance of telecom networks should be entirely by Indian engineers” and adding that the “dependence on foreign engineers should be minimal” within two years from a purchase.” The recent blackberry controversy is only the latest in the continuous regulatory efforts by the Indian government to strengthen national security. Its not the first and definitely not the last. However, the blackberry controversy in my view is serving an extremely important function. The privacy argument which has always been generally latent, discussed by academics and staunch civil libertarians, is now ripe for widespread national discussion. In the end I see this debate as defining a lot of ground rules on privacy, security policy as well as encryption technologies.

To kick of the next part I discuss why there is such an inexorable demand by the Indian government on blackberries specifically. What makes the technical architecture of the blackberry so difficult to crack? And is there truth to RIM’s (research in motion, the makers of the handset) defenses of “we would (comply), if only we could”!

Related articles

Comments are closed.